Privacy Notice

1. Introduction

(a) Valuing your privacy and safeguarding your personal data.

At Dufry, we respect your privacy and adhere to applicable data protection and privacy laws and relevant e-commerce laws globally. We strive to consistently exceed our clients’ expectations regarding the products and services that we offer to our travel retail customers. We create experiences that our customers value by responsibly using information with which you entrusted us.

This Privacy Notice describes the way we treat all the personal data you provide or that we have obtained through our Dufry Websites and Applications and in our retail stores.

(b) Applicability and links to other third party applications and/or websites

This Privacy Notice applies to all visitors and anyone who accesses or uses our products and services of the retail store locations (“Stores”) and the global Dufry.com websites and any local country Dufry websites or our mobile applications currently called Red by Dufry application, Forum By Dufry,Dufry Red Loyalty Program or Reserve and Collect customer program mobile applications (as amended from time to time) of Dufry AG, its subsidiaries, affiliated companies and such other companies where Dufry AG has effective management control over such entities (collectively called “Dufry”, “us” ,”we” and such websites and applications collectively called “Dufry Websites and Applications”). “Personal data” means any information relating to an individual who is identified or identifiable, such as name, address, email, phone number and information relating thereto.

Dufry Websites and Applications may contain links to and from the applications and/or websites of our partner networks, advertisers, third parties and affiliates. They are merely for informational purposes. If you follow a link to any of these applications and/or websites, please bear in mind that they have their own privacy policies and that we assume no responsibility or liability arising whatsoever nor endorse any practices from their policies.

BY ACCESSING DUFRY WEBSITES AND APPLICATIONS AND ACCEPTING THE STATEMENT WITH THE LINK OK, I AGREE AND CONTINUING TO ACCESS THE DUFRY WEBSITES AND APPLICATION OR YOU ENTER AND PURCHASE PRODUCTS IN OUR STORES, YOU ACCEPT THE TERMS AND THE PROCESSING OF PERSONAL DATA DESCRIBED IN THE PRIVACY NOTICE. IF YOU DO NOT AGREE, PLEASE REFRAIN FROM ACCESSING DUFRY WEBSITES AND APPLICATIONS OR OUR STORES.

YOU MAY WITHDRAW YOUR CONSENT AT ANY TIME. WE WILL THEN REFRAIN FROM FURTHER PROCESSING YOUR PERSONAL DATA, EXCEPT TO THE EXTENT THE PROCESSING OF YOUR PERSONAL DATA IS LAWFUL FOR OTHER REASONS EVEN WITHOUT YOUR CONSENT, SUCH AS LAWFUL PURPOSES AS FULFILLING THE CONTRACTUAL OBLIGATIONS OR COMPLIANCE WITH LAW OR TO PROTECT OUR OR THIRD PARTIES LEGITIMATE INTERESTS (SUCH AS THE UNINTERRUPTED AVAILABILITY OF OUR WEBSITE OR ENFORCEMENT OF VIOLATIONS OF LAW).

2. Sources of Personal Data and What Personal Information about Customers do Dufry Websites and Applications collect?

(a) Controller and Processors of Personal Data

Dufry AG and the owner of the local website (as set out in the terms) which you are currently visiting or the local Dufry entity which owns the local Store that you are visiting or from whom you are purchasing goods are joint controllers of the personal data that you (as data subject) provide us or we received in our Stores and Dufry Websites and Applications.

(b) Types of Personal Data collected and Sources of Personal Data

We collect personal data directly from our customers through Dufry Websites and Applications and our Stores.

We obtain, use, disclose and otherwise process personal data about customers to (i) process transactions they request, including e-commerce Reserve and Collect selection and mobile transactions, (ii) improve Dufry Websites and Applications, Stores, quality of service and customers shopping experience, (iii) send communications about our products, services, campaigns, promotions, competitions, sweepstakes and customer satisfaction surveys, (iv) prevent and detect fraud and abuse, (v) process information or claims in connection with incidents at Stores, (vi) enable service providers to perform certain activities on Dufry’s behalf, (vii) protect the log in details of the subscribers and system integrity of the Dufry Websites and Applications, (viii) comply with legal obligations, policies and procedures and for internal administrative and analytics purposes,(ix) allow valid RED loyalty members to access their accounts and accumulate and redeem points under their RED loyalty card and receive the relevant discount on their purchases in Stores according to their status as a RED loyalty card member and (x) to commence, protect or defend Dufry in actual or threatened legal proceedings.

We collect the following types of personal data about you from the following sources:

Information that you provide to us: We receive and store any information you enter on Dufry Websites and Applications and Stores or give us in any other way such as during registration, accessing your account or profile, submitting queries or as part of a survey or competition or utilising gift coupons or customer support or communicate with us or purchasing in Stores or using our products or services.

Due to such actions, you supply us with your (i) name, postal address, email address, phone numbers, (ii) data necessary to process your payment (including the credit card/payment instrument information and personal security code associated with your credit card) for Store purchases or on line purchase of gift vouchers, to reserve purchases (under the Dufry Reserve & Collect Application), to apply for a refund, or to communicate with customer services regarding a refund to the credit card/payment instrument, (iii) flight destination, flight date and delivery address for the subscriber and airport location to collect any pre ordered reserve & collect products or make purchases of our products and services in Stores. Demographical data such as your age, gender, country, preferred language, passport number and citizenship, date of birth and country of residence are also collected. You must hold a valid flight ticket to be able to make duty free or duty paid purchases from Dufry. Such information is collected to meet our contractual obligations to our landlord and airport authorities and legal obligations towards customs and other regulatory authorities.

When you register for membership, subscribe for services or the newsletter or other marketing communications including blogs or customer comments or use the Dufry Websites and Applications or purchase in our Stores, we collect log in details, passwords, any password questions and hints, similar security information used for authentication and account access is also collected for the access into your personal account and profile and to utilise the Reserve and Collect elements or the RED customer loyalty elements of Dufry Websites and Applications or in our Stores.

You can choose not to provide certain information, but then you might not be able to utilise many of the features of the Dufry Websites and Applications. See What Are My Choices section below. (https://sso.dufry.com/profile)

Information collected automatically through interaction with us: We receive and store information where you interact with us through using our products and services, including online technologies (ie Cookies) and receiving error reports or usage data from software applications on your devices online or via WiFi communications in Stores.

We collect and analyse device, connectivity and configuration data including the Internet protocol (IP) address used to connect your computer or device to the internet, computer and connection information such as browser type, version, time zone and other computer software installed on the device, browser plug in types and versions, operating system, shopping preferences, wish list, purchase history, the features you use and pages accessed and web sites visited.

We also collect the Uniform Resource Locator (URL) clickstream to and from our Dufry Websites and Applications, including date and time, cookie number, products viewed and searched for and the phone number used to contact our customer support teams. We collect technical information to help us identify your device for fraud prevention and diagnostic purposes such as any problems to the product and settings, error reports including data as to the type and severity of the problem, details of software and hardware related to an error, contents of files you were using when an error occurred and data about other software on the device.

We collect browser data including persistent and session cookies and other online technologies as set out below in the Online Technologies section below. We utilise Google Analytics to assist with software tools to measure and collect the performance data on Dufry Websites and Applications including download error or performance issues caused. Further information can be found under (Google Analytics Terms of Service & Privacy).

Most browsers allow you to opt out of cookies or turn on do not track. For more information, see What are My Choices section below [https://sso.dufry.com/profile].

Mobile or Dufry Applications: When you choose to use or download Dufry Websites and Applications or allow connectivity via WiFi connections to your device, we receive information about your location and mobile device, including a unique identifier for your personalised device, your GPS data or wireless networks data (WLAN). Location data is neither stored nor transmitted to third parties If you agree with the localisation function, we can provide you with location-based services including advertising, search results and personalised content. Once you are near one of our Stores, then we can use push email communications to you if you have provided your preference to receive such communications and advertising.

Most mobile devices allow you to turn off location services. For more information, see What are My Choices section below [https://sso.dufry.com/profile].

E-Mail Communications: To provide more personalised and interesting email communications, we receive a confirmation when you open email from Dufry Websites and Applications or your device is near one of our Stores, if your computer or device supports this capability. Additionally, we compare our customer list to lists received from other companies, in an effort to reduce repetitive or unnecessary messages or spam being sent to our customers.

If you choose not to receive any Emails or other mail from us, please adjust your customer communication preferences in your account profile.

Information from other Sources: We receive information about you from other sources and add it to our account information. The third party sources include:

Updated delivery and contact address data from third parties which are used to update our records and deliver your next purchase more easily;

Social networks when you grant permission to Dufry Websites and Applications to access your data on one or more networks;

Service providers that help us determine a location based on your IP address to allow customisation of certain products to your location;

Publicly-available sources from open government databases or other data in the public domain; and

Credit history information from credit bureaus, which we use to help prevent and detect fraud.

3. Lawful basis and purposes for processing and using your personal data

(a) Lawful purposes

Your personal data is processed by the Group on the basis of a lawful “justification” for such processing, to the extent required by or permissible under applicable law. The processing of special categories of personal data (including data relating to health, sexual preferences racial or ethnic origin, religious beliefs) is always justified on an additional basis as set out below.

In the majority of cases, the processing of your personal data will be justified on one of the following bases:

It is provided for in your contract of providing products and services requested by you to be provided by us;

It is necessary for us to comply with a legal obligation;

It is with your freely provided unequivocal and informed consent for specified processing purposes: or

It is in our legitimate interests as a business and as your supplier of contractually requested goods, and our interests are not overridden by your interests, fundamental rights or freedoms including legitimate interests as set out below.

The processing of special categories of personal data will be justified by one of the above conditions and normally by one of the following special conditions:

It is necessary for the purposes of carrying out legal obligations:

It is carried out subject to your explicit consent:

It is necessary for the establishment, exercise or defence of legal claims: or

In exceptional circumstances, it is necessary to protect your vital interests and you are incapable of giving consent.

process transactions they request, including e-commerce Reserve and Collect selection and mobile transactions,

process information from the RED loyalty programme to verify the identity of the cardholder is the owner of the RED loyalty card and to ensure that the collection or redemption of RED points and confirm the status of a customer to allow for the correct discount to be applied to the sales of goods purchased in Stores or goods reserved for collection under the Reserve & Collect application and purchased in person in Stores; This information will enable us to provide access to all areas of the loyalty programmes, the Reserve and Collect and Red by Dufry applications contained in Dufry Websites and Applications.

review and collect data from the boarding pass, nationality, destination and holder of the valid boarding pass to ensure that the passenger is part of the travelling public to allow Dufry or the Group to provide duty free goods under the terms of the contractual agreement with our landlords or airport authorities;

provide payment services including credit cards for online purchases and in Stores purchases;

provide goods and services to the customers that they have requested (ie provided an email address to allow the regularly newsletter to be provided to the customer)

to maintain our business relationship, where you are a user or subscriber of our Dufry Websites and Applications,

to maintain our business relationship and communicate with you where you are a RED loyalty member;

to answer your enquiries;

improve Dufry Websites and Applications, Stores, quality of service and customers shopping experience,

enable service providers to perform certain activities on Dufry’s behalf,

protect the log in details of the subscribers and system integrity of the Dufry Websites and Applications,

comply with legal obligations, policies and procedures and for internal administrative and analytics purposes,

to communicate with you and personalize our communications with you. i.e. respond to your queries or accommodate your preferences and registration for program membership. We communicate with you by email or phone or SMS to inform you about our services, how to keep your subscription or account active, to communicate regarding a refund or customer inquiry or assisting with web site or Dufry Websites and Applications access or technical queries or to participate in a customer survey or a competition or to receive a promotional coupon or discount rebate or to invite you to attend an event sponsored by the Dufry Websites and Applications or in Stores, and

to commence, protect or defend Dufry in actual or threatened legal proceedings.

We use personal data to carry out your contractual transactions with us and to provide our products (including the reserving of and pre-selection of duty free products listed in the Reserve and Collect application for collection at the requested Store) to you as requested by you. This includes using your personal information to register or subscribe to any services provided thorough Dufry Websites and Applications.

We collect personal data especially the collection of the passenger name, boarding card to ensure that the consumer reserving the products is a valid traveller to meet our contractual obligations to our landlord and long term concession agreement as well to allow the calculation of the VAT or similar tax allowances to be calculated for the customs authorities.

Where we process your personal data on the basis of our legitimate interests, those will be our interests in :

The conclusion of the specific processes listed above;

Providing and improving the products we offer and perform essential business operations. This includes operating the products, maintaining and improving the performance of the products, developing new features, conducting research and providing customer support.

Protecting the security and safety of our products and our customers, to detect and prevent fraud to confirm the validity of the subscriber logging into Dufry Websites and Applications;

Using personal data for statistical and analytical purposes. Whenever reasonably possible we will anonymize such information before using it for statistical or analytical purposes. Such information is processed in the legitimate interests of Dufry AG to maintain the efficiency, relevancy and availability of the Dufry Websites and Applications;

Effective management and operation of Dufry and the Group companies;

Our engagement with and communications with our customers;

Developing our business and the business of the Group as a whole;

Increasing the efficiency of our processes and practices:

Striving to ensure compliance with the Group’s policies and procedures and applicable laws and business norms:

Ensuring the on-going stability and availability of the Dufry Websites and Applications or in our Stores;

Avoiding or mitigating harm to you, to our customer, to us and the Group and to third parties.

Advertising : Sending you newsletters, notifying you of special offers or promotions or asking you to participate in customer surveys or to provide invitations to attend events or provide advertising based on your interests (as indicated by your cookies), if you provide your preference to do so.

4. Sharing your Personal Data

We will not transfer or disclose your personal information outside our corporate group of Dufry AG, other than as set out below:

in connection with a joint venture or business combination where Dufry AG corporate group holds less than 50% ownership or does not have effective management control of such joint venture or business combination;

sending or making promotional offers to selected groups of customers of Dufry Websites and Applications or Stores on behalf of other companies (but if we do this, then we do not give that business your name and address). If you not want to receive these emails, please advise us by notifying us at privacy@dufry.com or updating your preferences in your account profile;

to third party service providers (companies or individuals) that we employ to perform functions on our behalf such as fulfilling orders, delivering to retail locations or Stores, sending postal mail and email, removing repetitive information from customer lists, analysing data, providing marketing assistance, providing search results and links, processing credit card payments and providing customer service. These providers have access to personal information needed to perform their functions, but may not use it for other purposes and include the following categories of data recipients:

(i) advertising and media consultants,

(ii) market research consultants;

(iii) providers of technical services;

(iv) website designers and developers;

(v) cloud computing service providers;

(vi) electronic storage providers;

(vii) customer services;

(x) recruitment agencies;

in connection with the proposed merger, acquisition or sale or as a result of the actual sale of all or part of the assets of, or shares in Dufry AG or a business transfer of business activities of Dufry AG occurs other than without a sale or acquisition;

in releasing account and other personal data to comply with the law, undertaking litigation or other proceedings or to enforce or comply with or apply our terms of use and other agreements, or protect the rights, property or safety of Dufry Websites and Applications or Stores. This includes exchanging information with other companies for fraud prevention and credit risk reduction;

to comply with legal or regulatory requirements or obligations in accordance with applicable law, a court order or a subpoena,

with regulatory authorities, airport authorities, Dufry AG and Group landlords and concession partners and customs and tax authorities to show the calculation of such tax exemptions; or

to data analytical firms, Google Analytics Inc.or;

in an emergency, such as to safeguard the life, health, or property of an individual; or

with your consent to proceed to share your personal information with third parties where required by applicable law.

Nevertheless, within our corporate group of Dufry AG, certain services are centralised to provide one or more affiliates for the entire group or a part of it.

5. Storing your Personal Data

Your personal information you have provided to either or both joint controllers be located in a Dufry AG cloud based customer management database software tool located within data centres maintained in the territories of the EEA, unless the local data protection laws require that the local Dufry entity will be included in a file owned by the local Dufry Entity, the purpose of which is to manage the business relationship with you, in accordance with the provisions of the local data protection laws. However, the customer relationship and the personal data if any is held with the local Dufry entity who owns this Website or Applications can be accessed or communicated to group or affiliated companies of Dufry AG.

Dufry AG and local Dufry AG entity will manage the customer relationship with you and any marketing materials can be provided, in accordance with your preferences, by Dufry as Controller or by the local Dufry entity as a joint controller or processed on behalf of Dufry AG.

6. Security of personal data

Your personal data will be secured by taking security measures that are commensurate with the sensitivity of the personal data processed. To this end, Dufry and all Group entities maintain appropriate physical, technical, and administrative security measures with a view to protecting personal data against theft; accidental loss; unauthorised alteration; unauthorised or accidental access, processing, erasure, use, disclosure or copying; and/or accidental or unlawful destruction.

When we have provided (or you have chosen) a password allowing access to certain benefits of the Dufry Websites and Applications, you are responsible for safeguarding it and keeping it confidential and you undertake not to allow it to be used by third parties. Unfortunately, the transmission of information thorough the internet is not completely secure. Although we will take all reasonable commercial measures to protect your personal data, we cannot guarantee the security of any personal information or data you disclose on line. You accept the inherent security implications of using the internet and to the extent permitted by law, we will not be responsible for any breach of security, unless we have been acting with gross negligence and only within the limitations as set out in the terms and conditions of use for Dufry Websites and Applications.

7. Transfers of Data Outside of Your Country

Your personal data (as described above) may be transferred to other Group entities or to third parties described above, only to the extent required for Dufry AG and group companies to perform their obligations to you, or for you to access your Dufry Websites and Applications, or for the purposes described above in this Notice, provided such purposes are in accordance with applicable laws. In particular:

Your profile and contact information contained in systems such as corporate communications systems, customer relationship management databases or directories will be accessible to all marketing, sales and customer support or customer care employees of Group companies worldwide.

Your personal data may be transferred to or accessed by Group employees located inside or outside your country, and/or a person or company that is not part of the Group located in or outside your country, on a need-to-know basis. Transfers outside the EU may be made pursuant to the European Commission's Standard Contractual Clauses ("SCC"), the EU-U.S. Privacy Shield certification or other legally acceptable mechanisms which ensure an adequate level of protection. As permitted by law, you may be entitled, upon request to the Global Data Protection Co-Ordinator, to receive a copy of any contractual documentation showing that appropriate safeguards have been taken to protect your Personal Data for transfer outside the EU.

Dufry AG may process your personal data as a controller in order to administer and provide you with products and services that you requested, to administer global sales and customer programs, promotional and marketing activities and surveys, competitions and coupon and gift promotions, communications with customers, advertising campaigns with us, to manage sales and customer relationships and to prepare sales and customer relationship management and customer support reporting, consistent with the terms of this Notice. Dufry AG is located in Switzerland, a country that benefits from an adequacy decision of the European Commission that has found Swiss law to afford adequate protection to personal data.

Transfers may be made to respond to law enforcement requests or discovery procedures, or where required or permitted by applicable laws, court orders, government regulations, or government authorities (including tax and employment). Such transfers may entail access by courts or governmental authorities outside your country, after having ensured that only your minimal necessary data is disclosed and transferred, or that such data is de-identified or that, where possible, appropriate stipulative court orders have been issued.

Transfers of Personal Data in accordance with this Section 7 are based on the same legal bases as applicable for the respective purposes of processing as set out above.

8. Retention of personal data

Dufry data retention policy requires that personal data be retained for no longer than required to fulfil the purposes for which it was collected. Dufry AG can provide a copy of the Group Data Retention Policy upon request to the email address: privacy@dufry.com. In general, personal data, or records containing personal data, will be retained for periods of time required in accordance with applicable legal, tax, or accounting obligations. In specific circumstances, and in accordance with applicable law, Dufry may retain your personal data for longer periods of time (such as for the duration of the relevant statute of limitation) so that we have an accurate record of our dealings with you or to protect the legitimate interests of Dufry AG or local Dufry entity name, who owns this Dufry Website or Application. In all cases, where your information is no longer required, Dufry will ensure it is disposed of in a secure manner.

9. Minors

Dufry Websites and Applications do not provide products and services to children. Whilst we may sell toys and confectionary which may appeal to children, any reservation for our products and services can only be provided to adults over the age of 18 years old. We do not knowingly collect personal information from children under the age of 18 years, without the consent of the child’s parent or guardian. Accordingly, the parent will need to complete and submit a fully completed and signed Parental Personal Data Consent Form along with evidence of the person’s identity, to the email address: privacy@dufry.com.

10. Online Technologies including Cookies

As a visitor, subscriber or continuing to access the Dufry Websites and Applications or via the WiFi network or location services in Stores, you consent to use of cookies and other online technologies as detailed in this Section and in accordance with this privacy statement. Dufry and its third party marketing partners may use cookies, invisible pixels and web beacons to obtain information about you while visiting the Dufry Websites and Applications and our Stores.

(a) Cookies

A "cookie" is a small text file that identifies your mobile device and/or equipment on our server. None of the Cookies we use collect your personal information and they cannot be used to identify you, only the mobile device and/or equipment used. Unless stipulated otherwise, we will not pass personally identifiable data to third parties.

In order to use Cookies in Dufry Websites and Applications, we ask your express consent to accept cookies on the Dufry Websites by clicking “Okay, I agree”: (in the introductory page of the Dufry Websites and Applications, for it to be placed on the hard drive of your mobile device and/or equipment.)

We use 'persistent' cookies. 'Persistent' cookies usually have a long shelf life because they are "collected" and "updated" every time a user visits an application and/or page where the same or a similar cookie is being used.

Once you consent to the use of Cookies, the file is added and the cookie helps to analyse web traffic and lets us know when you visit a particular site. Cookies allow applications to respond to you as an individual. The web application can tailor its operations to your needs, by gathering your likes and dislikes and remembering information about your preferences. We use traffic log cookies to identify which applications and/or pages are being used. This helps us analyse data on web traffic and improve our Dufry Websites and Applications in order to adapt it to the customer’s needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Information obtained through cookies is used by us and by third parties that we have hired in order to show you advertising related to your preferences. For a full list of the cookies that we use, please click here

Cookies generally help us provide better Dufry Websites and Applications, which allows us to monitor which pages you find useful and those which are not. A cookie does not allow us to access any other data on your mobile device, equipment or to any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can modify your browser setting to decline cookies if you prefer. Cookies, including those which have already been set, can be deleted from your hard drive.

f you wish to do so, you can change your browser settings and choose the options of storage or access to cookies, and enable, disable or delete them. These options should be done following the instructions in your browser (usually located in the "Help", "Tools" or "Edit" settings). However, you should be aware that by disabling the use of cookies may result in the inability to access some of the application areas, or suspend communications containing personalized information or avoid the correct functioning and access to Dufry Websites and Applications. For more information about how to change cookies settings in the browser, you can visit www.allaboutcookies.org

(b) Google Analytics

Google Analytics are used to help us understand how to make the best use of our content and find out how we can improve it. These cookies allow us to track your progress through our Dufry Websites and Applications, collect personal data at their origin, which applications and/or pages you visit, and the time you spend on the site. This data is then stored by Google in order to create reports.

The information generated by the Google cookies about your use of the Dufry Websites and Applications, including your IP address, can be transmitted and stored by Google on servers in the United States. Google may use this information for the purpose of evaluating your use of the website, compiling application activity reports for us and providing other services relating to website activity and internet usage. Google may transfer this information to third parties when so required by law or where such third parties process the information on behalf of Google. Google will not associate your IP address with any other data held by Google. The Google Website has more information about Google Analytics and a copy of Google’s privacy policy pages.

We also work with vendors and strategic marketing partners to help deliver advertisements and personalised content that we believe will be of interest to you. These vendors and other partners include advertisers, advertising agencies, advertising networks, audience segment providers, data exchanges, analytics providers and other similar providers.

We may also engage one of these vendors to deliver our advertisements to consumers whose online behaviours on sites other than Dufry Websites and Applications indicate that they be interested in Dufry products and services. In other instances, we engage in special arrangements with certain advertisers in which we think our website visitors and subscribers would have an interest. We allow these advertisers to deliver co-branded messages (Dufry and advertiser) directly to consumers who have visited or subscribed to Dufry Websites and Applications.

Dufry Websites and Applications use what are known as Adserver systems for internet advertising and distribution of advertisements to desktop computers and mobile devices (ie. tablets, computer and smartphones). These systems control the distribution of advertisements using cookies. The cookies are stored for advertising contracts and by clicking on the advertiser’s advertisements, as well as by visiting the advertisers website on your computer or mobile device. The Adserver systems and cookies enable the provider to review the success of their advertising and to address website visitors with targeted advertising by activating advertisements that are personalised and related to the interests of the providers’ website visitors. Whilst personal data, ie name, address are not stored. You can deactivate the use of cookies by Adserver systems by means of a cookie opt out by clicking on the link below.

On some websites of our on line catalogue, we use social plugins of the social network www.facebook.com , which is operated by Facebook Inc., 1601 S.California Ave, Palo Alto, CA 94304, USA (“Facebook”).

The websites of our online catalogue in Dufry Websites and Applications can contain a plug in are marked with a clearly visible Facebook logo (ie white “f” on a blue icon) or the addition of “Facebook Social Plugin”).

If you access a website like this containing such a plugin, your browser will establish a direct connection with the Facebook servers and Facebook will transmit the content of the plugin directly to your browser.

If you are registered with Facebook and are logged into your Facebook user account, Facebook will receive the information that you accessed the respective website by the integration of the plugin. If you use the plugin actively by activating the “like” button or the “share” button or placing a commentary on the respective website, the corresponding information will be transmitted from your browser directly to Facebook and used there in Dufry Websites and Applications.

In order to avoid Facebook collecting the above information about you when you access such a website, please following the instructions in settings on the Facebook website and/or log out of the Facebook website, before visiting the respective website in Dufry Websites and Applications. Additionally, you should delete any Facebook cookies present from your browser.

The purpose and extent of data collection and further use and usage of data by Facebook as well as your rights and setting options in this regard for the protection of your Personal Data or private space can be found in the Facebook Privacy Policy. We assume no responsibility for the contents of the websites and the Facebook Privacy Policy.

11. What are your rights?

You have the right under applicable law to access, obtain a copy and correct personal data concerning you, subject to limited exceptions that may be prescribed by applicable laws. Where justified and mandated by applicable law, you may also require that your personal data be deleted or blocked, or you may be entitled to obtain information about the processing of your data, or object to further processing of your data.

In the event your personal data is processed on the basis of your consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You can do this by (i) in some cases deleting the relevant Personal Data from the relevant IT system (although note that in this case it may remain in back-ups and linked systems until it is deleted in accordance with our data retention policy) or (ii) contacting your Global Data Protection Co-Ordinator.

As permitted by law, you also have the following additional rights:

Data portability - where we are relying upon your consent or the fact that the processing is necessary for the performance of a contract to which you are party as the legal basis for processing, and that personal data is processed by automatic means, you have the right to receive all such personal data which you have provided to Dufry or the Group in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.

Right to restriction of processing - you have the right to restrict our processing of your personal data where:

you contest the accuracy of the personal data until we have taken sufficient steps to correct or verify its accuracy;

where the processing is unlawful but you do not want us to erase the personal data;

where we no longer need your personal data for the purposes of the processing, but you require such personal data for the establishment, exercise or defence of legal claims; or

where you have objected to processing justified on legitimate interest grounds (see below) pending verification as to whether Dufry or the Group has compelling legitimate grounds to continue processing.

Where your personal data is subject to restriction in this way we will only process it with your consent or for the establishment, exercise or defense of legal claims.

Right to object to processing justified on legitimate interest grounds - where we are relying upon legitimate interest to process personal data, then you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the personal data for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interest as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.

Right to object to processing for marketing purposes – you have the right to object to any processing of your data for marketing purposes (including profiling). Additionally, see What are My Choices?

Please contact us by submitting a Data Subject Access Request Form (available upon request) in writing or by email to either of the addressees listed below.

Dufry has appointed a Global Data Protection Co-Ordinator who may be contacted securely and confidentially at the following E – Mail address : privacy@dufry.com. Alternatively, you can send your Data Subject Access Request Form, written comments, questions or concerns to

12. What are My Choices?

Dufry Websites and Applications provide you with access to a range of information about your account and your interactions with us. To ensure that your personal data is accurate and up to date, we encourage you to regularly review and update your information as appropriate, if your communication preferences change or your contact details or address has changed. If you have subscribed to Dufry Websites and Applications, especially the Red by Dufry application or the Reserve and Collect Application, then you can either access your account and make the changes or request the changes are made by sending an email request along with evidence of your identity to privacy@dufry.com.

We like to inform you about our products and services and those of our partners and to also send you surveys, promotional materials and invitations to events, to participate in competitions or receive coupons or gift certificates as well as communications on your birthday or other special events. If you choose not to receive such communications or modify what method of communications such as SMS, email, letter or phone we use to contact you or you choose not to agree to the use of cookies or other on line technologies, then you to opt out of such activities by submitting the opt out provision which is the unsubscribe link to the website to allow the customer to unsubscribe (if an electronic communication), or for all other non-electronic communications, by submitting an objection email or letter to specify your preferences to privacy@dufry.com. You can change your preferences or choices at any time or provide a new consent to such activities by providing a signed consent form consenting to the use of cookies, advertising materials or preferred method of communication to privacy@dufry.com.

13. Changes to our Privacy Notice

Changes and amendment to the terms of this Privacy Notice can be made at any time and shall apply as soon as they are published on any Dufry Websites and Applications. Should you not agree to any changes or amendments, then you should refrain from continuing to use our services or products or access Dufry Websites and Applications or our Stores.

14. Where to make a Data Protection complaint?

You have the right to lodge complaints pertaining to the processing of your personal data with the relevant data protection supervisory authority.

Cookies Inventory.

Category

Name

Used by

Purpose(s)

Expiration Date

Personal Data

Information disclosed

Functional

Remember me

Dufry

Used to automatically login the user between sessions. If the user does not explicitly click on logout, then SSO will use this cookie to automatically login the user next time he will access the SSO

1 year

no

no

Functional

JSESSIONID

Dufry

Used to track the current session

End of each user session

no

no

Analytical

-ga

Dufry

Website analytics

2 years

no

no

Analytical

-gid

Dufry

Website analytics

24 hours

no

no

Analytical

AWSELB

Dufry/ Amazaon

Used to track the current session

End of each user session

no

no

Analytical

-utma

Dufry /Google Analytics

Website analytical to track visitors including first and last visit (returning visits)

Persistent cookie remains on computer until it expires or the cookie cache is cleared.

yes

Cookie updates when information sent to Google Analytics

Analytical

-utmb

Dufry /Google Analytics

Website analytical to determine new sessions/visits

Cookie created when javascript library executes and no existing –utmb cookies exists.

no

Cookie updates when information sent to Google Analytics

Analytical

-utmc

Dufry /Google Analytics

Website analytical to determine the end of browser sessions. Used to determine whether the user was in a new session/visit

Cookie created in conjunction with the –umtb cookie.

no

Cookie updates when information sent to Google Analytics

Analytical

-utmz

Dufry /Google Analytics

Website analytical to store the traffic source or campaign that explains how the user reached the site.

Cookie created when javascript library executes and is updated every time data is sent to Google Analytical